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DETAILED ACTION 
Continued Examination Under 37 CFR 1.114 

1 . A request for continued examination under 37 CFR 1.114, including tine fee set 
forth in 37 CFR 1 .17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1 .17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 1-13- 
2010 has been entered. Claims 1-18 and 29-38 are pending and have been examined. 

Response to Arguments 

2. Applicant's arguments with respect to claims 1-18 and 29-38 have been 
considered but are moot in view of the new ground(s) of rejection. 

Claim Rejections - 35 USC § 102 

3. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 1 02 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(b) the Invention was patented or described in a printed publication in this or a foreign country or in public 
use or on sale in this country, more than one year prior to the date of application for patent in the United 
States. 

4. Claims 1-4, 18, 37 and 38 are rejected under 35 U.S.C. 102(b) as being clearly 
anticipated by Nachenberg US 6,357,008. Nachenberg teaches: 
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As for claim 1 , a metliod for providing computer security (abstract), comprising: 
determining, using a processor, whether an executable associated with a static state 
meets one or more first predetermined criteria (col. 14 lines 1 1-22: the exploration 
module evaluates an executable according to predetermined criteria of whether an 
emulated instruction matches an entry from a list of suspicious operations); associating 
a first risk level with the executable based at least in part upon whether the executable 
meets the one or more first predetermined criteria (col. 14 line 16: exploration module 
records the suspicious operation); determining whether a current process associated 
with the executable meets one or more second predetermined criteria (col. 15 line 49 
through col. 17 line 21 : the evaluation module examines the processes recorded by the 
exploration module during emulation. This emulation of code reads on a current 
process. The evaluation module uses a list of known suspicious operations to examine 
the operations noted by the exploration module, this reads on the use of a second 
predetermined criteria) ; associating a second risk level with the current process based 
at least in part upon whether the current process meets the one or more second 
predetermined criteria (col. 16 line 65 through col. 17 line 55: a second predetermined 
criteria includes a predetermined list of highly suspicious behaviors), wherein the 
current process is initially associated with the first risk level (col. 15 line 49 through col. 
17 line 21 : the evaluation module examines the processes recorded by the exploration 
module during emulation to which the first risk level has been assigned), and wherein 
the first risk level is updated to the second risk level for the current process based at 
least in part upon whether the current process meets the one or more second 
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predetermined criteria (col. 17 lines 12-55); and performing a predetermined responsive 
action with respect to the process if the second risk level exceeds a threat detection 
threshold (col. 17 lines 12-21, col. 17 lines 50-55); wherein determining whether the 
executable meets the one or more predetermined criteria does not comprise comparing 
the executable with a virus signature (Nachenberg discloses the use of emulation of 
code and the evaluation of code segments for suspicious behaviors and does not utilize 
virus signature matching). 

As for claims 37 and 38: Claim 37 represents the apparatus configured to carry 
out the method steps of claim 1 , Claim 38 represents the computer-program product 
that instructs a processor to undertake the method steps of claim 1 . Claims 37 and 38 
recite substantially the same limitations as claim 1 and are thereby rejected on the 
same basis as that claim. 

As for claim 2, the method for providing computer security of claim 1 , wherein the 
risk level indicates a level of potential risk that will be brought by operating the 
executable (col. 17 lines 12-22). 

As for claim 3, the method for providing computer security of claim 1 , wherein the 

risk level indicates how much risk the executable presents (col. 17 lines 12-22, lines 50- 
55: the evaluation module will report the type of virus likely present in the executable). 
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As for claim 4, tlie metliod for providing computer security of claim 1 , wherein the 
predetermined criterion includes a configuration criterion (col. 9 lines 52-62). 

As for claim 18, the method for providing computer security of claim 1 comprising 
associating with the executable, a risk type indicating a type of risk to which the 
executable is vulnerable (col. 17 lines 12-22, lines 50-55: evaluation module will report 
the type of virus likely present in the executable). 

5. Claims 7, 8, 10, 12-17 and 29-34 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Nachenberg, and further in view of Tajalli et al. (US 
2004/0143749 A1 ). 

As for claim 7, Nachenberg discloses all of the limitations of claim 7, except 
where the predetermined criterion is used to determine whether the executable is 
installed via a standard procedure. The general concept of determining whether an 
executable is installed via standard procedure is well known in the art as illustrated by 
Tajalli, who discloses controlling access to system resources by a process based on a 
behavior control description for the process set to which it belongs (Para. 0020, lines 5- 
7). Therefore, it would have been obvious for one of ordinary skill in the art at the time of 
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the invention to nriodify Nachenberg to include the use of a predetermined criterion to 
determine if an executable has not properly installed, in order to prevent malicious code 
execution on a computer system. 

As for claim 8, Nachenberg discloses all the limitations of claim 8, except where 
the predetermined criterion is used to determine whether the executable has sufficient 
access control. The general concept of determining if an executable has sufficient 
access control is well known in the art as illustrated by Tajalli, who discloses an access 
control engine used to monitor access to and use of critical system resources: the IDS 
of Tajalli watches applications requested and resources used, looking for requests or 
uses that depart from acceptable use and behavior (Para. 0081, lines 1-11; Para. 0161, 
lines 12-14; Para. 0175, lines 5-6). Therefore, it would have been obvious for one of 
ordinary skill in the art at the time of the invention to modify Nachenberg to include the 
use of determining sufficient access control in order to control access rights to system 
resources. 

As for claim 10, Nachenberg discloses all the limitations of claim 10, except the 
method of providing computer security wherein the predetermined criterion is used to 
determine whether the executable is signed. The general concept of determining if an 
executable is signed is well known in the art as illustrated by Tajalli, who discloses that 
the IDS will check for encryption within the executable (Para. 0161, lines 12-14; Para. 
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0169, line 1). Therefore, it would have been obvious for one of ordinary skill in the art at 
the time of the invention to modify Nachenberg to include the use of the step of 
determining if an executable is signed in order to determine the origin of the executable, 
as public key cryptography binds the signer's identity to the key used in signing. 

As for claim 12, Nachenberg discloses all the limitations of claim 12 except 
providing computer security wherein the predetermined criterion includes a capability 
criterion. The general concept of a predetermined criterion that includes a capability 
criterion is well known in the art as illustrated by Tajalli, who discloses a predetermined 
criterion including a capability criterion (Para. 0055, lines 1-2; Para. 0175, lines 5-6). 
Therefore, It would have been obvious for one of ordinary skill In the art at the time of 
the invention to modify Nachenberg to Include the use of a capability criterion, since 
such would increase the ability of the system to protect against attack by malicious 
code. 

As for claim 13, Nachenberg discloses all the limitations of the claim except the 
method for providing computer security wherein the predetermined criterion is used to 
determine whether the executable has networking capability. The general concept of 
determining If an executable has networking capability is well known In the art as 
disclosed by Tajalli (Para. 0244, lines 1; 0251, lines 2-9; Para. 0175, lines 5-6). 
Therefore, it would have been obvious for one of ordinary skill in the art at the time of 
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the invention to modify Naclienberg to include the use of determining if malicious code 
has networking capability in order to protect against malicious code that may cause 
damage to a network. 

As for claim 14, Nachenberg discloses all the limitations of claim 14 except the 
where the predetermined criterion is used to monitor whether the executable has 
privilege manipulation capability. The general concept of determining whether an 
executable has privilege manipulation capability is well known in the art as illustrated by 
Tajalli (Para. 0050, lines 1-8:IDS would defines modifying or manipulating registry keys 
as inappropriate behavior to be blocked). Therefore, it would have been obvious for one 
of ordinary skill in the art at the time of the invention to modify Nachenberg to include 
the use of this step in order to protect the system against malicious codes that may act 
to modify a system registry for example. 

As for claim 15, Nachenberg discloses all the limitations of claim 15 except the 
step wherein the predetermined criterion is used to determine whether the executable 
has remote process capability. The general concept of determining if an executable has 
remote process capability is well known in the art as illustrated by Tajalli, (Para. 0236, 
lines 1-3; Para. 0239, line 1 : IDS is configured to control network services to include 
remote connection ). Therefore it would have been obvious for one of ordinary skill in 
the art at the time of the invention to modify Nachenberg to include the use of this step 
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in order to prevent the network from being compromised by use a malicious code at a 
local site that allows unauthorized entry to the network from a remote location. 

As for claim 16, Nachenberg discloses all the limitations of claim 16 except the 
step wherein the predetermined criterion is used to determine whether the executable 
has process launching capability. The general concept of determining if an executable 
code has process launching capability is well known In the art as illustrated by Tajalli, 
(Para. 0244, lines 1-2; Para. 0249, lines 1-2: malicious code can initiate HTTP 
connection to other Web servers). Therefore, it would have been obvious for one 
ordinary skill in the art at the time of the invention to modify Nachenberg to include the 
step of determining If an executable code has process launching capability In order to 
stop malicious code from utilizing other system resources from the network. 

As for claim 17, Nachenberg discloses all the limitation of the claim except the 
step wherein the predetermined criterion is used to determine whether the executable 
has a secure algorithm. The general concept of determining if malicious code has a 
secure algorithm is well known in the art as illustrated by Tajalli (Para. 0217, lines 1-2; 
Para. 0222, line 1 : IDS controls access to any attributes of files or directories Including If 
encryption Is present for the executable). Therefore, it would have been obvious for one 
of ordinary skill in the art at the time of the invention to modify Nachenberg to include 
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the use of this step in order to protect against executable code that uses encryption to 
hide a viral payload from a virus scanning routine. 

As for claims 29-31, Nachenberg discloses all the limitation of the claims except 
the steps comprising analyzing historical evidence; records of activities, and log files. 
The general concept of analyzing historical evidence, activities records, and log files is 
well known in the art as illustrated by Tajalli (Para. 0091, lines 1-7; Para 0097, line 1). 
Therefore, it would have been obvious for one of ordinary skill in the art at the time of 
the invention to modify Nachenberg to include the use of these steps in order to more 
effectively evaluate potentially malicious code by the use of records associated with 
past examples of such code. 

As for claim 32, Nachenberg discloses all the limitations of the claim except the 
step wherein the historical evidence includes a system optimization file. The general 
concept of the use historical evidence that includes a system optimization file is well 
known in the art as illustrated by Tajalli (Para 0090, lines 3-8: system optimization files 
or swap files reside on the disk such that a communication module may retrieve this 
data and request an alert when an unusual event occurs). Therefore, it would have 
been obvious for one of ordinary skill in that art at the time of the invention to modify 
Nachenberg to include the use of swap files in order to obtain information relevant to 
building a system wide security policy. 
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As for claims 33 and 34, Naclienberg discloses all the limitation of tlie claims 
except the step of providing computer security wherein the historical evidence includes 
a crash dump. The general concept where such historical evidence includes a crash 
dump is well known in the art as illustrated by Tajalli (Para. 0090, lines 3-8: a 
communication module that monitors local log files, transfers log data to a management 
infrastructure, and request alerts when unusual events occur). Therefore, it would have 
been obvious for one of ordinary skill in the art at the time of the invention to modify 
Nachenberg to include the use a crash dump file and a prefetch file in order to gather 
information when system failures occur. 

6. Claims 9, 11, 35, and 36 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Nachenberg in view of Khazan et al. (US 2005/0108562 A1). 

As for claims 9 and 1 1 , Nachenberg discloses all the limitations of the claims 
except where the predetermined criterion is used to determine whether the executable 
is recent and determine whether the executable has a modified date different from the 
created date. The general concept of determining whether an executable is recent and 
determining whether the executable has a modified date different from its creation date 
is well known in the art as illustrated by Khazan, who discloses analyzing an executable 
to determine when in time a modification has taken place (Para. 0107, lines 14; Para. 
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01 15, lines 1-19). Therefore, it would have been obvious for one of ordinary skill in the 
art at the time of the invention to modify Nachenberg to include the use of this step in 
order to verify whether and when modification has taken place within an executable. 

As for claims 35 and 36, Nachenberg discloses all the limitation of the claims 
except the steps of performing a dynamic risk analysis, and determining whether an 
action is required. The general concept of performing dynamic risk analysis and 
determining whether an action is required is well known in the art as illustrated by 
Khazan, who discloses a static and a dynamic analyzer (Para. 0040, lines 12-13); and 
determining whether an action is required (Para. 0099, lines 7-11, lines 21-26). 
Therefore, it would have been obvious for one of ordinary skill in the art at the time of 
the invention to modify Nachenberg to include the use of such a dynamic analyzer in 
order to determine whether an action is required since these steps would be useful in 
reducing system overhead during the evaluation of executables for malicious code. 

Allowable Subject Matter 

7. Claims 5 and 6 are objected to as being dependent upon a rejected base claim, 
but would be allowable if rewritten in independent form including all of the limitations of 
the base claim and any intervening claims. 
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Conclusion 

8. Any inquiry concerning tliis communication or earlier communications from tine 
examiner should be directed to Paul E. Callahan whose telephone number is (571) 272- 
3869. The examiner can normally be reached on M-F from 9 to 5. 

If attempts to reach the examiner by telephone are unsuccessful, the Examiner's 
supervisor, Emmanuel Moise, can be reached on (571 ) 272-3865. The fax phone 
number for the organization where this application or proceeding is assigned is: (571) 
273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 

/PEC/ 
AU2437 

/Emmanuel L. Moise/ 

Supervisory Patent Examiner, Art Unit 2437 



